×

Understanding 'PrintNightmare vulnerability' that threatened security of Windows users

The flaw could have led to total loss of confidentiality and integrity for a user

Microsoft has recently come up with an emergency Windows patch in the wake of a glitch, which threatened to compromise the security of users. 

Within a few days of identifying the flaw, patches have been issued for Windows Server 2019, Windows Server 2012 R2, Windows Server 2008, Windows 8.1, Windows RT 8.1 and different versions of Windows 10. Although Microsoft is yet to issue patches for Windows Server 2012, Windows Server 2016, and Windows 10 Version 1607, the company assured that updates for these versions will be released soon.

The vulnerability

The flaw in the server, now named 'PrintNightmare vulnerability', lives up to its sobriquet as this flaw allows an outside user to install programmes, modify data in a system and create new accounts with system admin privileges.

The flaw lets the attacker to easily take over the domain account. According to reports, Microsoft itself had admitted that "domain controllers are affected if the print spooler service is enabled." 

"A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft had said in a statement.

The flaw takes advantage of 'RpcAddPrinterDriverEx()' function, that is used to install printers in a system. PrintNightmare leverages this function by specifying a malicious driver file stored in a local or remote server, enabling the attacker to make the Print Spooler service to execute arbitrary code.

Attackers gain immediate control on critical systems, allowing them to exploit the server. The result possibly is the total loss of confidentiality and integrity for a user.

The flaw in the Windows Print Spooler service was identified after an accidental publication of  proof-of-concept (PoC) exploit code.

Microsoft revealed that "vulnerability existed before the June 8, 2021 security update."

ExtraHop's threat research data had suggested that 93 per cent of servers could have been vulnerable to the threat, making it one of the most severe security issues.

Microsoft was swift to react even as US Cybersecurity & Infrastructure Security Agency (CISA), CERT Coordination Center (Cert CC) and other such agencies called for urgent action against this critical remote code execution (RCE) vulnerability.

After the threat was identified Microsoft had issued  a statement, saying "We recommend that you install these updates immediately."

"Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as 'PrintNightmare', documented in CVE-2021-34527," Microsoft said.

TAGS